Using ImageMagick on a SpeedZone managed server is simple, but there’s important to keep in mind.
SpeedZone did not make this change; ImageMagick itself changed its behavior. ImageMagick has always blocked reading files from a URL in its default security policy. However, a software bug prevented the system from enforcing this restriction in all use cases. In ImageMagick version 7.1.2-9, the developers fixed this security issue with a silent code change. As a result, some users encountered problems because they relied on codecs that earlier versions had allowed without applying the security policy. Changing the global configuration would introduce an even greater security risk for everyone, so the only viable solution is to carefully relax the security policy within the user’s own virtual server environment.
ImageMagick is a powerful tool for processing image files, but with its power and complexity come potential security risks.
To mitigate these risks, ImageMagick enforces a security policy through its configuration file. The policy limits memory usage and file sizes, controls which files the system can open and from where, and applies additional security restrictions.
On the SpeedZone platform, ImageMagick uses a security policy based on the “limited” configuration shipped with the software.
In some cases, users may need to relax specific rules. They can do this within their own user context.
Please note the following:
-
users cannot override all settings, and the rules may change over time.
-
users can modify some settings by installing a minimal user-level configuration.
magick: attempt to perform an operation not allowed by the security policy `URL'
To get around this specific limitation, it is sufficient for the virtual server user to create a file at ~/.config/ImageMagick/policy.xml in their home directory with the following contents:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE policymap [ <!ELEMENT policymap (policy)*> <!ATTLIST policymap xmlns CDATA #FIXED ''> <!ELEMENT policy EMPTY> <!ATTLIST policy xmlns CDATA #FIXED '' domain NMTOKEN #REQUIRED name NMTOKEN #IMPLIED pattern CDATA #IMPLIED rights NMTOKEN #IMPLIED stealth NMTOKEN #IMPLIED value CDATA #IMPLIED> ]> <policymap> <policy domain="module" rights="read|write" pattern="URL"/> </policymap>
- Some rules cannot be relaxed if the system configuration has already been loaded, as it is read first by default. This can be overridden by changing the ImageMagick configuration loading order using the environment variable
MAGICK_CONFIGURE_PATH, so that the user configuration is loaded first:MAGICK_CONFIGURE_PATH="$HOME/.config/ImageMagick:/usr/share/ImageMagick-7"
The previously made policy change will take effect within 5 minutes after executing the following command:
touch ~/domeenid/*/phpini/global/php.ini